The OSSRA data clearly shows that development teams need to improve at open source management—keeping open source components up-to-date. The consequences of using older, more vulnerable versions of open source can be grim. For example, #2 of the top 10 vulnerabilities listed in the 2024 OSSRA is a cross-site scripting vulnerability in jQuery versions 1.2 to 3.5.0. The issue was patched in jQuery 3.5.0, but a third of the codebases scanned for security risks were still using a jQuery version vulnerable to it. An exploit of that vulnerability means malicious data could be used to breach a system, or sensitive data—passwords, credit information—could be exposed.
jQuery is not inherently insecure. In fact, it is a well-maintained open source library with a large community of users, developers, and maintainers. But according to the OSSRA data, jQuery was the component most likely to have vulnerabilities, even though all the jQuery vulnerabilities listed in the report have available patches. It is important for users of jQuery—and indeed users of all open source—to be aware of the potential security risks associated with older versions of software, and take steps to mitigate those risks.
Most maintainers (contributors who lead an open source project) are diligent about keeping projects they’re involved with up-to-date. The same diligence needs to be encouraged in open source consumers, who need to stay aware of the versions they have in use, establish a regular cadence for updates, and practice software hygiene—downloading only from projects with a healthy ecosystem of maintainers and contributors.